Vulnerability of computer systems, configurations, software, and protocols to unauthorized access or use is recognized. Vulnerabilities can lead to minor annoyances and even pose critical national security risks. Automated tools have made it easier for hackers and other unauthorized users to probe systems and discover vulnerabilities. Once vulnerabilities are discovered, exploits, which are a sequence of commands or a block of data that take advantage of vulnerabilities, are disseminated and deployed. Today, given the ubiquitous nature of internet communications and the value of information and transactions hosted on the internet, discovery and exploitation of vulnerabilities have become widespread.
Often, exploits seek to compromise security by introducing into a target system, data that can be interpreted by the target system in a way that facilitates the attack. One classic form of attack is the so-called buffer overflow attack, in which an exploit causes vulnerable code to write data to memory in such a way that locations beyond the ostensible write target are updated. Typically, the data written takes the form of an input string that includes data which, if successfully introduced into memory in a precise location, will be interpreted by executing code (typically privileged code) in a way that facilitates the exploit. For example, if a write operation improperly writes 2 KBytes of data to a 128 Byte data structure, memory locations may be updated beyond the data structure intended by the original programmer. If those memory locations include the stack or a pointer used by privileged code, an attacker may successfully alter an execution path of privileged code. Other exploits may modify data upon which privileged code relies. In any case, a precisely crafted input string can be used to compromise a computer system.
Vulnerability to such attacks generally results from poor programming practices and/or bugs. However, such vulnerabilities are surprisingly widespread in commercial, off-the-shelf software. A majority of the most damaging internet “worms” have employed techniques that resulted in direct corruption of function-pointers. Two notable examples are the 1988 Morris Internet worm which exploited (amongst other vulnerabilities) an unchecked buffer write in the UNIX fingered program and the 2003 Slammer worm which exploited a buffer overflow vulnerability in computers running Microsoft's SQL Server.
In general, the strategy of such attacks is reasonably well understood and a variety of security techniques have been developed to detect and/or defeat some such attacks. Techniques employed have typically required a binary-rewriting pass or worse, source code analysis. Another security technique that has been proposed involves (1) modifications to processor hardware and related structures of a memory hierarchy to store and manage security tags and (2) modifications to operating system implementations to mark spurious input data.